Working with Ansible on Windows Hosts

186 views
Skip to first unread message

Nk Chitturi

unread,
Nov 12, 2018, 4:07:10 PM11/12/18
to Ansible Project
Hello All,  did anyone figured out working with ansible on windows host, if so please give me the process and info how you guys get this working on windows.

thanks,
Narmada 

Jordan Borean

unread,
Nov 12, 2018, 4:32:59 PM11/12/18
to Ansible Project
Depends on what you mean by working on Windows, Ansible can remotely connect to a Windows host and execute modules against that. We have numerous docs and a quick Google search will give you lots of info and blog posts detailing how this can be done.

If you want to know if you can run Ansible as a controller on a Windows host, you cannot do this natively. The easiest way is to use Windows Subsystem for Linux (WSL) or setup a VM and run it from that. There are also numerous guides out there detailing these steps which are a quick Google search away.

Thanks

Jordan

Nk Chitturi

unread,
Nov 12, 2018, 4:52:29 PM11/12/18
to Ansible Project
Thanks Jordan, yeah i am trying to use windows as hosts and i spent lot of time setting up windows machines as hosts. i tried kerberos as well but no luck.

Thad Guidry

unread,
Nov 12, 2018, 5:46:33 PM11/12/18
to ansible...@googlegroups.com
Since your using Windows, you might also want to know that the ecosystem is not only Ansible... DSC also provides the rest of what you often need.

https://www.ansible.com/blog/using-the-win_dsc-module-in-ansible



--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ea1c425d-83a6-4b93-a42f-842e661bde6f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Nk Chitturi

unread,
Nov 12, 2018, 5:57:12 PM11/12/18
to Ansible Project
Thanks Thad, i am already using DSC for server configuration, but after going thorugh Ansible felt like using single component for both linux and windows.
my ping play book is not at all working on windows hosts.

Jordan Borean

unread,
Nov 12, 2018, 6:50:46 PM11/12/18
to Ansible Project
If you've already attempted to connect but failing it would be best to share what you have done as well as any errors you are getting back. I can definitely tell you it is possible but without knowing what issues you are having it's hard to point you in the right direction.

Some things that would be good to know are;
  • The inventory you are using
  • The playbook you are running with
  • The command and output when you run with -vvv so we can see the errors
  • If you are running with Kerberos, a copy of the /etc/krb5.conf file
  • Whether you can run 'kinit user@DOMAIN' outside of Ansible successfully

Thanks

Jordan

Nk Chitturi

unread,
Nov 12, 2018, 7:44:36 PM11/12/18
to ansible...@googlegroups.com
krb5.config

includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = XYZ.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 XYZ.COM = {
 }

[domain_realm]

_________________________________________
Inventory file:
[windows]
0.00.000.000 ansibel_ssh_user="user...@xyz.com" ansible_connection="winrm"

__________________________________________________________
/group_vars/windows.yml

ansible_user: user...@xyz.com
ansible_password: password
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_message_encryption: always
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
ansible_winrm_kerberos_delegation: true
__________________________________________________________________

Playbook
-
  name: ping test
  hosts: windows
  tasks:
    -
      name: ping test
      ping:


thanks,
Narmada

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d8e0fc87-8eb5-4316-a280-a386b51a0522%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
 
 

Jordan Borean

unread,
Nov 12, 2018, 9:19:07 PM11/12/18
to Ansible Project
You're missing the most important thing, what's the error you are receiving and whether you kinit can get the user's token. Briefly looking at it

  • The KDC as has USER...@XYZ.COM, this should be a hostname and not an account of the domain controller
  • Your inventory file has ansibel_ssh_user, this has incorrect spelling and isn't needed because you have defined ansible_user in the group vvariables
  • You have ansible_winrm_message_encryption: always but because you are running over https this isn't needed, you can omit this value
Please share the output you are getting, preferably run Ansible with -vvv, and try and run kinit manually outside of Ansible to verify your kerb setup is correct.

Thanks

Jordan

Nk Chitturi

unread,
Nov 13, 2018, 12:03:20 PM11/13/18
to ansible...@googlegroups.com
Thanks Jordan, i tried like what you mentioned above, but this is the error I am getting

fatal: [servername]: UNREACHABLE! => {"changed": false, "msg": "Kerberos auth failure for principal user...@xyz.com with subprocess: kinit: Cannot find KDC for realm \"xyz.com\" while getting initial credentials", "unreachable": true}
please suggest with some solution...

thanks,
Narmada 

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c5b766b7-291a-4a2e-a365-680887b1e402%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
 
 

Jordan Borean

unread,
Nov 13, 2018, 2:47:58 PM11/13/18
to Ansible Project
So that error is saying it failed to run kinit to get a kerb ticket for the user 'user...@xyz.com'. This isn't necessarily an Ansible issue but a problem with how your Kerberos setup is done. It is saying it cannot contact/find the KDC in the realm 'xyz.com' so the one you have configured in your /etc/krb5.conf may not be correct or just not reachable.

Make sure the value for 'kdc' in the realms section is a valid hostname for your domain controller and that the host is able to resolve it to an actual host.

Thanks

Jordan

Nk Chitturi

unread,
Nov 13, 2018, 4:00:04 PM11/13/18
to ansible...@googlegroups.com
Now i am getting another new error, somehow i amble to create a kinit ticket but the error is
(Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f83900ebc90>: Failed to establish a new connection: [Errno 111] Connection refused',))", "unreachable": true}

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/fdc79590-192c-4973-adaa-7f87d2a1e889%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
 
 

Jordan Borean

unread,
Nov 13, 2018, 4:56:01 PM11/13/18
to Ansible Project
That either means the Firewall is blocking that port of you have no HTTPS WinRM listener. To verify what listeners are active you can run 'winrm enumerate winrm/config/listener' on your Windows host.

Nk Chitturi

unread,
Nov 13, 2018, 5:24:54 PM11/13/18
to ansible...@googlegroups.com
PS H:\> winrm enumerate winrm/config/listener
Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn =  0.00.000.000,  , 127.0.0.1, ::1, fe80::5efe:10.33.138.118%5, fe80::7008:2200:c50:e8f4%3

Listener [Source="Compatibility"]
    Address = *
    Transport = HTTP
    Port = 80
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn =  0.00.000.000,   127.0.0.1, ::1, fe80::5efe:10.33.138.118%5, fe80::7008:2200:c50:e8f4%3

Listener [Source="Compatibility"]
    Address = *
    Transport = HTTPS
    Port = 443
    Hostname = <Servername.domain.com>
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 0.00.000.000, 127.0.0.1, ::1, fe80::5efe:10.33.138.118%5, fe80::7008:2200:c50:e8f4%3

PS H:\>

this is my inbound rules
image.png
 

On Tue, Nov 13, 2018 at 1:56 PM Jordan Borean <jbor...@gmail.com> wrote:
That either means the Firewall is blocking that port of you have no HTTPS WinRM listener. To verify what listeners are active you can run 'winrm enumerate winrm/config/listener' on your Windows host.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4ed3f233-1964-4315-acdb-8806b0e9cbd1%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
 
 

lucas.adam.jackson

unread,
Nov 13, 2018, 5:27:58 PM11/13/18
to ansible...@googlegroups.com
Your problem is you're not listening on port 5986



Sent from my Samsung Galaxy smartphone.

Nk Chitturi

unread,
Nov 13, 2018, 6:21:56 PM11/13/18
to ansible...@googlegroups.com
Thanks Lucas, is there any way i can make it listen on port 5986, or can we use 5985 to connect.
but here is from my windows host
PS H:\> winrm enumerate winrm/config/listener
Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn =  0.00.000.000,  , 127.0.0.1, ::1, 
Listener [Source="Compatibility"]
    Address = *
    Transport = HTTP
    Port = 80
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn =  0.00.000.000,   127.0.0.1, ::1, 
Listener [Source="Compatibility"]
    Address = *
    Transport = HTTPS
    Port = 443
    Hostname = <Servername.domain.com>
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 0.00.000.000, 127.0.0.1, ::1, 

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5beb4fe2.1c69fb81.d53e2.5d9b%40mx.google.com.

For more options, visit https://groups.google.com/d/optout.


--
 
 

lucas.adam.jackson

unread,
Nov 13, 2018, 6:36:30 PM11/13/18
to ansible...@googlegroups.com
It's up to you, depends on the use case. Preferably using https over 5986.

Good script to use for configuring winrm for ansible 


You can configure the listener manually if you prefer but script works well
Message has been deleted

Nk Chitturi

unread,
Nov 13, 2018, 7:21:00 PM11/13/18
to Ansible Project
Thanks all,
I am able to run ping module on windows machines. 

On Tuesday, November 13, 2018 at 3:47:28 PM UTC-8, Nk Chitturi wrote:
I ran this script multiple times on my windows machine but no use
if i change in my vars to http, it is giving very big error
[nchitturi@sjc04d1shdwb51 ansible-windows]$ ansible-playbook windows_ping.yaml -i inventory.txt

PLAY [ping test] **********************************************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************************
ok: [servername]

TASK [ping test] **********************************************************************************************************************************************
 [WARNING]: FATAL ERROR DURING FILE TRANSFER:

fatal: [SJC04D1SHDWB01.SDLC.TESLAMOTORS.COM]: FAILED! => {"msg": "winrm send_input failed; \nstdout: Unable to initialize device PRN\r\nUnable to initialize device PRN\r\nUnable to initialize device PRN\r\n\nstderr ANSIBALLZ_WRAPPER : The term 'ANSIBALLZ_WRAPPER' is not recognized as the name of a cmdlet, function, script file, or \r\noperable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try \r\nagain.\r\nAt line:1 char:1\r\n+ ANSIBALLZ_WRAPPER = True # For test-module script to tell this is a A ...\r\n+ ~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : ObjectNotFound: (ANSIBALLZ_WRAPPER:String) [], CommandNotFoundException\r\n    + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nimport : The term 'import' is not recognized as the name of a cmdlet, function, script file, or operable program. \r\nCheck the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:1\r\n+ import os\r\n+ ~~~~~~\r\n    + CategoryInfo          : ObjectNotFound: (import:String) [], CommandNotFoundException\r\n    + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nimport : The term 'import' is not recognized as the name of a cmdlet, function, script file, or operable program. \r\nCheck the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:1\r\n+ import os.path\r\n+ ~~~~~~\r\n    + CategoryInfo          : ObjectNotFound: (import:String) [], CommandNotFoundException\r\n    + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nimport : The term 'import' is not recognized as the name of a cmdlet, function, script file, or operable program. \r\nCheck the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:1\r\n+ import sys\r\n+ ~~~~~~\r\n    + CategoryInfo          : ObjectNotFound: (import:String) [], CommandNotFoundException\r\n    + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nimport : The term 'import' is not recognized as the name of a cmdlet, function, script file, or operable program. \r\nCheck the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:1\r\n+ import __main__\r\n+ ~~~~~~\r\n    + CategoryInfo          : ObjectNotFound: (import:String) [], CommandNotFoundException\r\n    + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nscriptdir : The term 'scriptdir' is not recognized as the name of a cmdlet, function, script file, or operable \r\nprogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:1\r\n+ scriptdir = None\r\n+ ~~~~~~~~~\r\n    + CategoryInfo          : ObjectNotFound: (scriptdir:String) [], CommandNotFoundException\r\n    + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\ntry: : The term 'try:' is not recognized as the name of a cmdlet, function, script file, or operable program. Check \r\nthe spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:1\r\n+ try:\r\n+ ~~~~\r\n    + CategoryInfo          : ObjectNotFound: (try::String) [], CommandNotFoundException\r\n    + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\n__main__.__file__ : The term '__main__.__file__' is not recognized as the name of a cmdlet, function, script file, or \r\noperable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try \r\nagain.\r\nAt line:1 char:50\r\n+     scriptdir = os.path.dirname(os.path.realpath(__main__.__file__))\r\n+                                                  ~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : ObjectNotFound: (__main__.__file__:String) [], CommandNotFoundException\r\n    + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nAt line:1 char:23\r\n+ except (AttributeError, OSError):\r\n+                       ~\r\nMissing argument in parameter list.\r\n    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException\r\n    + FullyQualifiedErrorId : MissingArgument\r\n \r\npass : The term 'pass' is not recognized as the name of a cmdlet, function, script file, or operable program. Check \r\nthe spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:5\r\n+     pass\r\n+     ~~~~\r\n    + CategoryInfo          : ObjectNotFound: (pass:String) [], CommandNotFoundException\r\n    + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nAt line:1 char:3\r\n+ if scriptdir is not None:\r\n+   ~\r\nMissing '(' after 'if' in if statement.\r\n    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException\r\n    + FullyQualifiedErrorId : MissingOpenParenthesisInIfStatement\r\n \r\nsys.path : Th

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.


--
 
 

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.


--
 
 

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5beb5fef.1c69fb81.7889c.719b%40mx.google.com.

For more options, visit https://groups.google.com/d/optout.


--
 
 

Nk Chitturi

unread,
Nov 13, 2018, 7:28:40 PM11/13/18
to ansible...@googlegroups.com
Lucas or someone can help me with this, currently on my krb5.config i added only 1 ho...@DOMAIN.com, but if i want to run on multiple windows machines do i need to add all my hosts on krb5.config file.

thanks,
Narmada


Thanks all,
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.


--
 
 

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.


--
 
 

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.


--
 
 

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/05386c58-fe37-4d4f-bd21-cb5987e41959%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
 
 

Nk Chitturi

unread,
Nov 14, 2018, 1:41:00 PM11/14/18
to Ansible Project
thanks, it worked , I am able to ping windows hosts but i have one more challenge
In my kerberos file i am adding my host name to the realms , so if i need to run a script or anything on multiple windows hosts do i need to add all those host under realms

[realms]
 XYZ.COM = {

Jordan Borean

unread,
Nov 14, 2018, 2:47:46 PM11/14/18
to Ansible Project
You only need to have your kdc (domain controller) in the realms section. This file is used by the local krb5 libraries to know what host to talk to when getting a kerberos ticket. Windows hosts you are authenticating too just need to be resolvable in DNS but don't need to exist in your krb5.conf file.

Thanks

Jordan

Nk Chitturi

unread,
Nov 14, 2018, 5:29:51 PM11/14/18
to ansible...@googlegroups.com
thank you.
May be i made a chilly mistake in writing my playbook, it is giving syntax error
-
  name: Stop Apppools
  hosts: windows-dev
  become: true
  tasks:
    -  name: Stop application pool
       win_iis_webpool:
         name: "apppoolname"
         state: stopped
image.png

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5663874d-7779-4f60-bbb5-2dd6ec32e1fe%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
 
 

lucas.adam.jackson

unread,
Nov 14, 2018, 5:37:23 PM11/14/18
to ansible...@googlegroups.com
Looks like you have extra white space between hyphen and name



Sent from my Samsung Galaxy smartphone.

-------- Original message --------
From: Nk Chitturi <chitt...@gmail.com>
Date: 2018-11-14 5:29 PM (GMT-05:00)
Subject: Re: [ansible-project] Re: Working with Ansible on Windows Hosts

Nk Chitturi

unread,
Nov 14, 2018, 5:41:23 PM11/14/18
to ansible...@googlegroups.com
no luck still same error

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5beca398.1c69fb81.904cd.a897%40mx.google.com.

For more options, visit https://groups.google.com/d/optout.


--
 
 
Reply all
Reply to author
Forward
0 new messages